Version 1.0 of the CMMC framework will be made available in January 2020 to support training requirements. In June 2020, the Defense Industrial Base (DIB) should begin to see the CMMC requirements as part of Requests for Information (RFI). Information posted is tentative and subject to change until the official CMMC framework release in January 2020.

What is the Cybersecurity Maturity Model Certification (CMMC)?

CMMC stands for “Cybersecurity Maturity Model Certification”. It is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

The goal of the Cybersecurity Maturity Model Certification is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

CMMC Levels chart

The CMMC will encompass multiple maturity levels (1 – 5) that ranges from “basic cyber hygiene” to “advanced / progressive”. The processes and practices in each level are cumulative, with each one built upon the last. Required CMMC levels will be listed in RFP sections L and M and used as a “go / no go decision” for government contracts. The DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).

Unlike the NIST 800-171 framework, there will be no self-certification for the Cybersecurity Maturity Model Certification. Instead, a third-party CMMC auditor will be required.

The cost of CMMC certification will be considered an allowable, reimbursable cost and will not be prohibitive. At this time, there is no set cost to become CMMC certified, however there may be a variance of cost depending on the level required. For contracts that require CMMC, you may be disqualified from participating if your organization is not certified. Certifications will be made public, but details regarding specific findings will not be publicly accessible.

What do we know for sure about the CMMC at this time?

Because the CMMC is in draft form, it is still being revised. There is NO company out there that can truly start to make a customer “CMMC compliant” and assist with the CMMC assessment process until after the final revision – 1.0 – comes out in January of 2020.

What we know is that the DoD will also be helping small companies meet these cybersecurity requirements, and make cybersecurity an “allowable cost”.

We understand the challenge to small companies. We are not going to put small companies out of business. We need them. We will find innovative ways to help make them cyber secure with the help of our large primes as well.

– Ellen Lord, Undersecretary of Defense for Acquisition and Sustainment

I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment] security is an allowable cost.

– Katie Arrington, special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD

What we also know is that based on statements from the DoD as well as what draft revisions have indicated, CMMC Level 3 will be closely aligned with the 110 controls NIST 800-171 revision 1, along with a number of additional controls added.

NIST 800-171 was to be implemented by DoD contractors by December 31, 2017. However, many are still behind the curve and the first step to CMMC for many government contractors will be the full implementation of NIST 800-171.

Stronghold Cyber Security has extensive experience working with compliance frameworks, particularly NIST 800-171, and can help your business prepare for the upcoming CMMC audit and certification process. Once the framework is finalized, Stronghold Cyber Security will be offering CMMC consulting and we can virtually service companies anywhere in the country.

To find out how we can assist your company with the upcoming CMMC compliance requirements, please call us at 1-800-378-1187, email info@strongholdcybersecurity.com or fill out the form on the right to get started!

Not ready to call us just yet? Sign up for our weekly cyber security newsletter!

*Important: We HATE spam as much or more than you do and will not rent, share, or sell your information with anyone ever! We will only use your information to communicate with you directly, and you can remove yourself from our list at any time with one simple click.